diff --git a/cmd/kubeadm/app/phases/certs/certs.go b/cmd/kubeadm/app/phases/certs/certs.go
index e70c3fff08..b67f4655c0 100644
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@@ -39,14 +39,21 @@ func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) error {
 		CreateCACertAndKeyFiles,
 		CreateAPIServerCertAndKeyFiles,
 		CreateAPIServerKubeletClientCertAndKeyFiles,
+		CreateServiceAccountKeyAndPublicKeyFiles,
+		CreateFrontProxyCACertAndKeyFiles,
+		CreateFrontProxyClientCertAndKeyFiles,
+	}
+	etcdCertActions := []func(cfg *kubeadmapi.MasterConfiguration) error{
 		CreateEtcdCACertAndKeyFiles,
 		CreateEtcdServerCertAndKeyFiles,
 		CreateEtcdPeerCertAndKeyFiles,
 		CreateEtcdHealthcheckClientCertAndKeyFiles,
 		CreateAPIServerEtcdClientCertAndKeyFiles,
-		CreateServiceAccountKeyAndPublicKeyFiles,
-		CreateFrontProxyCACertAndKeyFiles,
-		CreateFrontProxyClientCertAndKeyFiles,
+	}
+
+	// Currently this is the only way we have to identify static pod etcd vs external etcd
+	if len(cfg.Etcd.Endpoints) == 0 {
+		certActions = append(certActions, etcdCertActions...)
 	}
 
 	for _, action := range certActions {
diff --git a/cmd/kubeadm/app/phases/certs/certs_test.go b/cmd/kubeadm/app/phases/certs/certs_test.go
index 45d05c892e..502683d675 100644
--- a/cmd/kubeadm/app/phases/certs/certs_test.go
+++ b/cmd/kubeadm/app/phases/certs/certs_test.go
@@ -603,6 +603,7 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 		setupFunc     func(cfg *kubeadmapi.MasterConfiguration) error
 		createFunc    func(cfg *kubeadmapi.MasterConfiguration) error
 		expectedFiles []string
+		externalEtcd  bool
 	}{
 		{
 			createFunc: CreatePKIAssets,
@@ -620,6 +621,18 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 				kubeadmconstants.FrontProxyClientCertName, kubeadmconstants.FrontProxyClientKeyName,
 			},
 		},
+		{
+			createFunc:   CreatePKIAssets,
+			externalEtcd: true,
+			expectedFiles: []string{
+				kubeadmconstants.CACertName, kubeadmconstants.CAKeyName,
+				kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName,
+				kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName,
+				kubeadmconstants.ServiceAccountPrivateKeyName, kubeadmconstants.ServiceAccountPublicKeyName,
+				kubeadmconstants.FrontProxyCACertName, kubeadmconstants.FrontProxyCAKeyName,
+				kubeadmconstants.FrontProxyClientCertName, kubeadmconstants.FrontProxyClientKeyName,
+			},
+		},
 		{
 			createFunc:    CreateCACertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.CACertName, kubeadmconstants.CAKeyName},
@@ -685,6 +698,10 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 			CertificatesDir: tmpdir,
 		}
 
+		if test.externalEtcd {
+			cfg.Etcd.Endpoints = []string{"192.168.1.1:2379"}
+		}
+
 		// executes setup func (if necessary)
 		if test.setupFunc != nil {
 			if err := test.setupFunc(cfg); err != nil {